intrusion_28
ICSA, Inc.
For more information, call 888-396-8348 28
An Introduction to Intrusion Detection and Assessment
information generated in that host or the signa-
ture against which the information is matched.
The network-level analysis can take the results
from the host-level analysis and use it to detect
signs of network-wide attack or suspicious behav-
ior without incurring as heavy a network load.
Furthermore, in larger networks, this sort of
approach can be applied hierarchically. That is,
groups of hosts can report to a network analysis
engine, which in turn reports its results to another
analysis engine that collects results from a number
of other network analysis engines and so on. This
hierarchical structure lets intrusion-detection
products succeed even in larger organizations.
Types of Analysis
Signature analysis
Signatures are patterns corresponding to known
attacks or misuses of systems. They may be simple
(character string matching looking for a single term
or command) or complex (security state transition
written as a formal mathematical expression). In
general a signature can be concerned with a pro-
cess (the execution of a particular command) or
an outcome (the acquisition of a root shell.)
Signature analysis is pattern matching of system
settings and user activities against a database of
known attacks. Most commercial intrusion detec-
tion products perform signature analysis against a
vendor-supplied database of known attacks. Ad-
ditional signatures specified by the customer can
also be added as part of the intrusion detection
system configuration process. Most vendors also
include periodic updates of signature databases as
part of software maintenance agreements.
One advantage of signature analysis is that it allows
sensors to collect a more tightly targeted set of
system data, thereby reducing system overhead.
Unless signature databases are unusually large (say
hundreds of thousands or millions of complex
signatures), signature analysis is usually more effi-
cient than statistical analysis due to the absence of
floating point computations.
Statistical analysis
Statistical analysis finds deviations from normal
patterns of behavior. This feature, common in
research settings, is found in few commercial
intrusion detection products. Statistical profiles
are created for system objects (e.g., users, files,
directories, devices, etc.) by measuring various
attributes of normal use (e.g., number of accesses,
number of times an operation fails, time of day,
etc.). Mean frequencies and measures of variabil-
ity are calculated for each type of normal usage.
Possible intrusions are signaled when observed
values fall outside the normal range. For example,
statistical analysis might signal an unusual event if
an accountant who had never previously logged
into the network outside the hours of 8 AM to
6 PM were to access the system at 2 AM.
The advantages of statistical analysis are:
The system may detect heretofore unknown
attacks;
Statistical methods may allow one to detect
more complex attacks, such as those that
occur over extended periods.
Disadvantages of statistical analysis (at this time) are:
It is relatively easy for an adversary to trick
the detector into accepting attack activity as
normal by gradually varying behavior over
time;
The possibility of false alarms is much greater
in statistical detectors;
Statistical detectors do not deal well with
changes in user activities (e.g., when the man-